Friday, January 28, 2011

This has absolutely nothing to do with security...

...and yet, it does. I could also have titled this post missing the forest for the trees. I had an interesting experience recently (two, actually), that I thought really drove home a point we in the information security field, and in fact in any field that makes rules, often forget. We forget the reason for rules, or we do not adequately express the reasons to those that must follow the rules. The result can be quite frustrating to those required to comply.I recently spent a week in Costa Rica - a beautiful country, I might add, but also my first experience outside the United States and its immediate neighbors, so there were a few cultural and communication challenges to overcome. One evening, after signing out and calling for a taxi to take me to my hotel, I decided to check my personal email while waiting in the lobby. I had a half hour to wait, and didn't want to sit there bored for a half hour. The security guard approached me and politely but firmly said I could not use my computer in the lobby. I asked for an explanation, and after overcoming a slight language barrier, I understood that "it was policy." OK ... I can think of a few reasons for such a policy - perhaps this city has had a problem with crime or corporate espionage and wants to treat the lobby as the unsecured space that it is (though I had no intention of viewing anything confidential in a semi-public space). So, being the somewhat persistent (stubborn?) person that I am, I pushed for the reason for the policy. The security guard called her supervisor, who called her supervisor, and eventually the answer came back "ergonomía" - ergonomics. I could not use the computer in the lobby, because I did not have a mouse attached! This office is making a very strong push to eliminate repetitive strain injuries by prohibiting laptop use without an external mouse. So I pulled my mouse out of my bag, attached it, and everyone was happy. Now that could be the end of the story, but if I stop there, I ignore my point. Had I simply complied with the policy the security guard was instructed to enforce - had I gone back inside the building and waited in a conference room instead, sans mouse, I would have satisfied the guard while completely ignoring the problem the policy was intended to prevent. I would have continued to risk wrist injury by using the onboard eraser nub.How many other policies do we have like this? How many times have we inadequately trained our "enforcers," as well as the rest of the employees, to follow rules instead of explaining the goal? Rules and policies are necessary - but they invariably have a purpose. If we merely enforce the rules, without explaining the purpose, we often end up defeating the very reason for those policies. Now if only I could understand why the security guard told me tonight I could not sit on the steps outside the lobby, and instead must stand on those steps...

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.